Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

From Phishing to Persistence: A CrySome RAT Infection Chain Analysis

0
Medium
Published: 07/07/2026 (07/07/2026, 14:14:56 UTC)
Source: AlienVault OTX General

Description

This threat involves a sophisticated multi-stage infection chain delivering the CrySome remote access trojan (RAT) via spear-phishing with a logistics rate confirmation lure. The attack uses living-off-the-land techniques, including UAC bypass via the ICMLuaUtil COM interface and in-memory AMSI patching, to evade detection. An open-source tool, WinDefCtl, is employed to disrupt Windows Defender protections before deploying the final payload. CrySome RAT establishes persistence through scheduled tasks and enables attackers to perform hidden VNC access, remote command execution, system reconnaissance, and credential theft from Chromium-based browsers. The campaign highlights the use of publicly available tools combined with legitimate Windows processes to minimize detection and achieve full system compromise.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/07/2026, 14:43:14 UTC

Technical Analysis

The analyzed infection chain begins with spear-phishing targeting logistics personnel, delivering CrySome RAT through multiple stages. The attackers leverage living-off-the-land techniques such as the ICMLuaUtil COM interface for UAC bypass and patch AMSI in memory to avoid detection. Prior to final payload deployment, the open-source WinDefCtl tool is used to weaken endpoint protections, specifically Windows Defender. CrySome RAT then establishes persistence via scheduled tasks and provides operators with capabilities including hidden VNC sessions, remote command execution, system reconnaissance, and credential theft focused on Chromium-based browsers. This campaign exemplifies modern threat actors' reliance on publicly available tooling and legitimate Windows components to evade detection and maintain persistence.

Potential Impact

Successful exploitation results in full system compromise with persistent remote access. Attackers gain capabilities for stealthy remote control (hidden VNC), execution of arbitrary commands, system information gathering, and theft of stored credentials from Chromium-based browsers. Endpoint protections are weakened using open-source tools, increasing the likelihood of sustained undetected presence. The infection chain leverages multiple evasion techniques, complicating detection and response.

Mitigation Recommendations

No official patch or vendor advisory is provided for this malware infection chain. Mitigation should focus on user awareness to prevent spear-phishing attacks, monitoring for use of known living-off-the-land techniques such as ICMLuaUtil COM interface abuse and AMSI bypass attempts, and detection of the WinDefCtl tool or scheduled tasks associated with CrySome RAT persistence. Endpoint protection solutions should be updated and configured to detect and block known indicators of compromise such as the listed hashes and domains. Since this is a malware campaign rather than a software vulnerability, remediation involves incident response and removal of the malware rather than patching.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.levelblue.com/blogs/spiderlabs-blog/from-phishing-to-persistence-a-crysome-rat-infection-chain-analysis"]
Adversary
null
Pulse Id
6a4d09e0fbf878666b3d5afd
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8
hashf8a3f28ecbd0b08ecab73ef571f16c3d0bd5e009
hash2f4b5a0d98bc4e5616f2dd04337ae674
hashec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4
hash53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff
hashced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd
hashb7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3
hashc380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a
hash45a2228e44257169210cc5dc06e12a6c
hashde2df0905ece1a1e7f0a70adf36c75deb06b4e4b

Domain

ValueDescriptionCopy
domainsignindat.com

Url

ValueDescriptionCopy
urlhttps://signindat.com/ElevatorShellCode.exe
urlhttps://signindat.com/update.exe
urlhttps://signindat.com/patch.exe
urlhttps://signindat.com/stage.ps1
urlhttps://signindat.com/Rate_Confirmation_LD-2026-0847.pdf
urlhttps://signindat.com

Threat ID: 6a4d0d07c9d9e3dbe34e7e7a

Added to database: 07/07/2026, 14:28:23 UTC

Last enriched: 07/07/2026, 14:43:14 UTC

Last updated: 07/08/2026, 03:57:11 UTC

Views: 62

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses